PRSummit: Cyber-Risk — Not If, But When

MIAMI— There is no CEO in the world who can ignore the issue of cybersecurity, We Communications founder and CEO Melissa Waggener Zorkin, told the Global Public Relations Summit audience in Miami this morning—and they are looking to public relations professionals to help them shape their communication around this issue.

Waggener was introducing a panel focused on “Communicating in the Complexity of Today’s Cybersecurity Threat Environment,” moderated by David Sanger, national security correspondent for The New York Times, who started by discussing the variety of cyber-threats that companies and governments need to think about: data theft and the potential for personal credit card information to be compromised; intellectual property theft; cyber-espionage; and destructive hacks, like those targeting companies like Sony and Saudi Aramco.

The Sony hack was the focus of much discussion because it came out of left field and showed that this was not an issue for a handful of obvious targets.

“We had a conception about who the bad guys are who they are targeting,” said Andy Ozment of the Department of Homeland Security. “Sony changed that. All of our planning assumed that we would be dealing with a power plant or a financial services company. Sony was outside of our frame of reference, which posed a challenge.”

While the emails that were released to media were the focus of much of the media coverage, the Sony hack took down the company’s entire computer system, said Jose Pagliery, staff writer at CNN Money. The lesson for everyone in the room: “You are in a losing game against hackers. If only one person gets in and is able to do something destructive and they are going to get the headlines. Every company is going to get hit at some time and that realization is going to change the way you talk about it.”

The Sony hack was what brought that home to many companies.

“It wasn’t Target or one of the credit card hacks, it was Sony that changed the discussion,” said Tim Rains, chief security advisor at Microsoft. “In the aftermath, instead of talking to people who were charged with safeguarding data, we were talking to CEOs and boards of directors, and it was the potential for reputation damage that got those people focused on the issue.

“CEOs care about their ability to share information, internally and with outside partners, and they want to know they can do that without the threat that those documents will leak.”

One lesson from Sony was that the conventional crisis management playbook helped, but was not sufficient for a uniquely complex communications challenge.

“When Sony happened, they had their shareholders, their employees, the government, their stars, their customers to deal with,” said Nicole Miller of Waggener Edstrom. “They knew enough to get their CEO out in front of the media, they knew enough to get the government agencies involved, but I am not sure they had a playbook that covered all the bases.”

One lesson from Sony and other hacks is that companies need to be a lot more specific about what happened to them. “Be specific,” said Pagliery. “In many cases, it’s not as bad as it looks”—he pointed to the IRS hack earlier this year—“and you need to communicate that very clearly and specifically.” In addition, he said, treat both reporters and consumers as if you respect their intelligence; don’t try to obfuscate.

Miller agreed: “Technology reporters are very technical, and they are the ones who set the tone for what is said in consumer publications and policy publications. They influence the coverage that follows, so the more you can explain to them, the better. One of the things that makes cybersecurity unique: you have to communicate the technical details but you have to take care of your consumers who… all they see is the car in the ditch and they want to know what it means for them.”

Sanger made the point that when the Office of Management & Budget was breached, it was not able to provide that level of specificity.

“That’s a possibility for the people in this room,” Ozment said. “You have to be prepared for the fact that you might be forced to communicate before you have the facts, before you know whether 300 people are affected or 300,000. We took the view that you should not use a number until you know it’s an accurate number, but somehow those numbers were out there.”

For communicators, Miller suggested, it’s not necessary to have all the answers, but it is important to have thought about the kind of questions you are likely to be asked, and to know how you will respond to those questions.

Added Rains: “That’s why the first step is making the assumption that you will be breached. Only then can you start to think about what you will do when the breach occurs.”